v1.5.4

Creation Date: 26.01.2021

Restrictions Policy

21211 – Restrictions Policy

For an endpoint define specific IP White List and IP Black List.

  • Tenant admin can add IP White List and IP Black List using Restrictions Policy.

Security Improvements

22377 – Super admin accounts are only given access to specific external IPs

/superadmin path only can access with specific external IPs. So this path which important for product management are protected against attacks from outside.

  • The IP White List middleware added to Treafik.

21211 – Grafana arrangement

A malicious user can access to DB layer with SQL injection. This user should not use DROP, DELETE, TRUNCATE and UPDATE commands.

  • Create new DB user for using Grafana report.

  • This DB user only have SELECT permission.

22189 – Endpoint development that checks banks’ own sessionIds

Endpoint checks sessionID so if it is not available , this login request is not allowed. It provides an additional security measure.

  • An Endpoint which validates sessionID has been sent from request body.

User Account Management

22216/22737 – Configurations of Airapi Users register and login with Microsoft Azure Accounts

ApiGo users can register and login to admin panel with their Microsoft Azure account.

  • Creating App with company account for com and com.tr on Azure.

  • Users can login and register with Microsoft Azure accounts.

22189 – Adding the custom claim information sent from the header to the authorization token

Information which important for bank like WebUserID, LastName, Firstname etc. transferred to the authorization token.

Management Portal

21206 – Developing an policy which validate Json data in Request Body

The policy validates request body compare with data model which defined by admin. If it is not valid, policy blocks the request. So this request will not sent to bank back-end system.

  • The policy works with PUT or POST method.

  • The JSON schema must be taken by tenant admin.

  • If request data is not valid, returns 422 – Unprocessable status code

21194 – Adding description to scope selection page

This description will be appear in the choosing scope on selecting screen at IdentityServer. So banks can explain scope details to their customers.

21206 – Adding advance settings to application creating page

Tenant admin can configure authorization token lifetime settings for own applications.

  • This configuration only set on Management Portal.

  • This settings have higher priority than global token settings.

21219 – Adding timeout field for device push token on app to app configuration page

Timeout field has been added to device push tokens. Thus, security vulnerabilities that may arise are prevented.

Landing Page

15914 – Deploying new Landing Page

New Landing Page was deployed on ApiGo.

FIXED ISSUES

Previousv1.5.6Nextv1.5

Last updated